Facebook photo leak flaw raises security concerns

Posted on March 20, 2015

A Facebook mobile code vulnerability, which exposed private photos to hackers, has raised questions about the safety of the social network’s coding in general. Security researcher Laxman Muthiyah recently discovered a critical vulnerability in the Facebook Photo Sync feature that was introduced more than two years ago.

In all that time, Facebook failed to discover the flaw that put millions of private photos at risk in the feature designed to enable users to sync their mobile photos with their Facebook account.

Muthiyah found that synced photos that had not been published on Facebook and should not have been visible to anyone could be accessed by exploiting a flaw in the photo sync feature.

In a blog post, Muthiyah said he found that the Facebook mobile application makes a GET request to https://graph.facebook.com/me/vaultimages with a top-level access token to read the synced photos.

While the Facebook server checks the request for a proper access token and serves the synced photos of the respective user as response, it was not designed to check which application is making the request.

Muthiyah discovered that any application with “user_photos” permission could get access to synced mobile photos, which meant hackers could craft apps for this malicious purpose.

He reported the vulnerability to the Facebook Security Team, which fixed the flaw in less than 30 minutes by whitelisting Facebook official mobile applications so that no other apps can get access.

Facebook also paid Muthiyah $10,000 under the company’s bug bounty programme that was introduced to encourage anyone who discovers flaws to report them to the social networking firm.